How to get rid of the w32.nimda virus:

ntsecrets.com 26 September 2001

The virus known as the w32.nimda virus has caused havoc throughout external and internal networks and organizations. I've observed the activity of this virus along with having to battle and clean up after it.

nimda is admin spelled backwards, a name attributed by an anti-virus company in the Netherlands.

How does it work (basically)?

This virus has 4 basic ways of attacking and spreading (that I know of)

What does this affect?

Most environments will suffer high amounts of network traffic and packet loss. This is the result of the active worm doing random port scanning of remote systems that it can potentially infect. Here is a sample of the worm attempting the IIS infection:

2001-09-26 01:21:21 xxx.100.203.88 - 24.48.198.69 80 GET /scripts/root.exe /c+dir 404 -
2001-09-26 01:22:11 xxx.100.203.88 - 24.48.198.69 80 GET /c/winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:22:11 xxx.100.203.88 - 24.48.198.69 80 GET /d/winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:22:22 xxx.100.203.88 - 24.48.198.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:22:46 xxx.100.203.88 - 24.48.198.69 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:22:50 xxx.100.203.88 - 24.48.198.69 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:23:00 xxx.100.203.88 - 24.48.198.69 80 GET /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:23:00 xxx.100.203.88 - 24.48.198.69 80 GET /scripts/..Á ../winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:23:02 xxx.100.203.88 - 24.48.198.69 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:23:06 xxx.100.203.88 - 24.48.198.69 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:23:10 xxx.100.203.88 - 24.48.198.69 80 GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:23:17 xxx.100.203.88 - 24.48.198.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:23:21 xxx.100.203.88 - 24.48.198.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:23:25 xxx.132.203.88 - 24.48.198.69 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:23:35 xxx.100.203.88 - 24.48.198.69 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 -
2001-09-26 01:41:58 xxx.48.169.149 - 24.48.198.69 80 GET /default.ida XXXXX..... .....200 -
2001-09-26 01:45:07 xxx.48.116.121 - 24.48.198.69 80 GET /scripts/root.exe /c+dir 404 -
2001-09-26 01:45:11 xxx.48.116.121 - 24.48.198.69 80 GET /MSADC/root.exe /c+dir 404 -
2001-09-26 01:54:32 xxx.48.116.121 - 24.48.198.69 80 GET /scripts/root.exe /c+dir 404 -
2001-09-26 01:54:37 xxx.48.116.121 - 24.48.198.69 80 GET /MSADC/root.exe /c+dir 404 -

(addresses have been replaced with xxx to protect the innocent).

Here you see the two forms of attacks via the web: the Unicode Traversal method and the Code Red II method (root.exe).

How to protect:

  1. Get the very latest version of your anti-virus software and definitions on your system.
  2. if the system does NOT have to have IIS running, stop it! (set World Wide publishing service to Manual and stop)
  3. if the system is a web server, apply the patch as outlined in the security bulletin MS00078
  4. Rename or remove the "scripts" virtual root in the IIS management console
  5. Rename or remove the MSADC virtual root in the IIS management console
  6. Remove any .ida files present on the site.

Via e-mail attacks:

The worm has several methods for spreading itself via e-mail. It will first exploited the MIME security hole as defined in the MS article MS01020. It will then search for e-mail addresses in the temporary files on the system and also send to all recipients in the Outlook address book. It has its own SMTP engine to send the emails.

How to protect:

  1. Get the very latest version of your anti-virus software and definitions on your system.
  2. DO not open messages with attachments named readme.exe
  3. Install the MS security patch outlined in MS01020.

Damage to system:

The worm does several somewhat damaging acts against the systems that host it. These can include:

A Windows NT system is easily identified as being infected if there are processes running (by checking in the Task Manager) called

TFTP
mmc.exe

It should be noted again that mmc.exe is the same name as the Microsoft Management Console. However, it usually resides in the system32 folder, and not in the root of the WINNT folder. If mmc.exe is running, it will not only be impossible to delete the mmc.exe but by terminating the process via the task manager only starts another one. However, it is possible to use a utility such as zap.exe (in the Systems Management Server resource kit) to delete the file while in use.

Therefore, to clean a system manually you may need to do the following:

  1. Do a full virus scan on you system. Make sure the scanning software is checking all files, including .eml, nws, exe and dll files.
  2. Delete any suspicious .eml and .nws files on the system.
  3. Delete the scripts folder in the inetpub folder if it exists (and is not used otherwise).
  4. Delete all copies of admin.dll that are found in the root of any system drives. (admin.dll is a real filename used by MS Frontpage)
  5. Remove the guest account from the Administrators group, and disable if needed.
  6. Check riched20.dll and replace if necessary.
  7. Remove any root.exe files (left from a Code Red II infection)
  8. The system.ini Shell setting, should be shell=Explorer.exe
  9. APPLY ALL SECURITY PATCHES as described in this article.

Many ISPs have been forced to shut off port 80 because too many clients were unknowingly running IIS and were causing too much traffic from being infected. If your business is being infected inside, check the web logs from a server that is being attacked and compile a list of machines to shut off. A good trick for figuring out the name and user of a system remotely is to do the following:

If machine 192.168.1.2 was attacking an IIS server according to the log:

Open a command window
Type in nbtstat - A 192.168.1.2 (replace it with the IP you find) on an Windows NT or 2000 machine

NetBIOS Remote Machine Name Table Name Type Status
---------------------------------------------
INet~Services <1C> GROUP Registered
IS~ONE.........<00> UNIQUE Registered
ONE <20> UNIQUE Registered
USERNAME <03> UNIQUE Registered

MAC Address = 00-60-69-74-04-FF

The machine name is shown as the <20> type. The user may also be seen as the <03> type. These machines should be disconnected from the network and cleaned off line if possible. Symantec Corp has created a removal tool that is available from:

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

A good write-up about the virus and what it can do is also on the Symantec web site:

http://www.symantec.com/avcenter/venc/data/[email protected]

Visit NTQA 2000 if you would like to post any additional tricks to removing this virus.


NTSecrets.com is not affiliated with Symantec Corp or Microsoft Corp. Each hold and reserve their trademarks and rights.